-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathhttps-flow.plantuml
More file actions
51 lines (51 loc) · 2.86 KB
/
https-flow.plantuml
File metadata and controls
51 lines (51 loc) · 2.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
@startuml
participant "Client" as c
participant "Server" as s
==TCP Handshake==
c<->s: //Establish TCP Connection//
==TLS Handshake (v1.2)==
c->s: **Client Hello (1)**\n Version, Random, Session ID, Ciphers Suites, Extensions (server_name)
s->c: **Server Hello (2)**\n Version, Random (Server), Session ID, Ciphers Suite, Extensions
s->c: **Certificate (11)**
note right c: Verifiy the server certificate against its trust store, \nincluding the certificate chain up to a trusted CA.
alt Diffie-Hellman series Key Exchange
alt Static Diffie-Hellman-based key exchange (DH/ECDH)
note right c: Extract static public key and signed key exchange data \n(e.g., DH p/g or curve info, public key, signature)
else Ephemeral Diffie-Hellman-based key exchange (DHE/ECDHE/X25519)
note left s: Generate ephemeral key pair \n(e.g., p, g for DHE or curve info, private key), \ncompute public key, \nand sign key exchange data with certificate private key
s->c: **Server Key Exchange (12)** \nEphemeral public key and signed key exchange data \n(e.g., DH p/g or curve info, public key, signature)
note right c: Verify signature by server certificate's publicKey
end
alt Client-authentication Required
s->c: **Certificate Request (13)** \nSignature Hash Algorithms, Distinguished Names
end
s->c: **Server Hello Done (14)**
alt Client-authentication Required
c->s: **Certificate (11)**
note left of s: Verify client certificate against configured CA certificate
end
alt Diffie-Hellman series Key Exchange
note right c: Generate a client ephemeral private key, compute the public key, \nand derive the shared secret (PreMasterSecret)
c->s: **Client Key Exchange (16)** \nClient ephemeral public key (e.g., DH public value)
note left s: Derive PreMasterSecret
else RSA Key Exchange
note right c: Generate PreMasterSecret
c->s: **Client Key Exchange (16)** \nPreMasterSecret (encrypted by server certificate's publicKey)
note left s: Decrypt PreMasterSecret by server certificate's privateKey
end
alt Client-authentication Required
note right of c: Sign previous handshake messages with the certificate's private key
c -> s: **Certificate Verify (15)**\nSignature (signed by the client's certificate private key)
note left of s: Verify the signature with the client's certificate public key
end
note over c, s: Derive encryption keys (SessionKey) based on the PreMasterSecret and random values
c->s: **Change Cipher Spec (20), Encrpted Handshake Message**\n Encrypted Finished message, containing a hash and MAC
s->c: **Change Cipher Spec (20), Encrpted Handshake Message**\n Encrypted Finished message, containing a hash and MAC
note over c, s: Decrypt and verify by SessionKey
==HTTP Data Exchange==
c->s: **Application Data** \n(encrypted by SessionKey)
s->c: **Application Data** \n(encrypted by SessionKey)
==Connection termination==
c->s: **Encrypted Alert**
c<->s: //Terminate TCP Connection//
@enduml